Backup Administrators: The #1 Advice to Deal with GDPR and the Right of Erasure

T he General Data Protection Regulation (GDPR) is a new privacy regulation across the European Union (EU) that will take effect on May 25, 2018. It provides EU individuals (aka “data subjects”) with more control over their personal data, ensures transparency about the use of data, and requires security and controls to protect data.[1] If your company offers goods or services (even for free) to EU residents, monitors EU residents’ behaviors (including via cookies), or has any type of physical presence in the EU, then your organization is probably subject to GDPR compliance.

The GDPR is not solely a legislative exercise, it has a direct impact on backup, archive, and disaster recovery (DR).

The EU is calling for organizations to optimize their data handling practices in a number of key areas, including data removal and deletion.[2] EU residents have the right to be removed from the records of companies they have previously authorized to collect and store their data. It is called the “right to be forgotten” (which means purging the data, including from backups and DR copies)—and it is perhaps the most written-about obligation of the GDPR and probably the most impactful one for IT administrators. It gives an individual the right to order a business to erase his or her personal data. Data controllers (you) will have to erase all copies or links to personal data where the data subject withdraws consent, and there is no legal ground for processing it.

Organizations have one month to answer a data removal request and ensure that all traces of personal information are wiped from their systems. But removing an individual from a historical backup can be challenging! What happens to long retention backups? How do you deal with a removal request when your backup files include thousands of database entries?

The GDPR is open to interpretation, so we asked an EU Member State supervisory authority (CNIL in France) for clarification. CNIL confirmed that you’ll have one month to answer to a removal request, and that you don’t need to delete a backup set in order to remove an individual from it. Organizations will have to clearly explain to the data subject (using clear and plain language) that his or her personal data has been removed from production systems, but a backup copy may remain, but will expire after a certain amount of time (indicate the retention time in your communication with the data subject). Backups should only be used for restoring a technical environment, and data subject personal data should not be processed again after restore (and deleted again). While this adds some complexity, it allows organizations to have some time to re-engineer their data protection processes.

Based on our understanding, here is our recommendation on how to complete a removal request with a limited impact on your existing backup processes and infrastructure.

In most of the cases, data will automatically expire with backups (most companies have backup retention schedules of three to five weeks—specific regulations are not taken into account here). But backups can be kept for longer, and the right to be forgotten won’t apply if the data controller needs to apply a longer retention for other compliance reasons.

But if your organization is using backups for longer than a month or two, not for compliance, ask yourself, “Do I really need to keep backups for months/years or should I start archiving instead?”

(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

(2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

[2] GDPR Article 17 Right of erasure (‘right to be forgotten’)

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent d) the personal data have been unlawfully processed.